I. Targeted Entities
As people begin to travel more post-COVID, researchers are warning that the travel industry is a prime target for an increase in cyber-related crimes. Criminal activity ranges from an uptick in adversaries targeting airline mileage reward points to website credentials for travel websites. The continued increase of these types of cybercrimes can have major impacts that may include flight delays and cancelations. The impact of these attacks is accounts that have been hacked and are stripped of their value.
III. Background Information
Since January, researchers at Intel 471 have found multiple hacks used by threat actors to trade the credentials linked to travel websites. The threat actors were specifically interested in “mileage rewards accounts with at least 100,000 miles.” These accounts are used to earn certain rewards on every dollar spent. The credentials that were listed in February come from U.K. users from a major travel website and two U.S. airlines. The researchers at Intel 471 say, “access to these accounts allowed actors to leverage the rewards to book travel reservations for themselves and other customers. The accounts and their respective rewards points could be resold to other actors looking to conduct similar types of travel fraud activity.”
The exploitation of rewards programs, especially those associated with travel, is not new. In 2018, two Russian teens were arrested for infiltrating more than a half-million online accounts, targeting services that offer reward points. Researchers say that as the travel industry bounces back from its COVID-related slump, the industry once again becomes a target for criminals.
Other nefarious activity includes the targeting of travel-related databases. These databases contain employee and traveler personal identifiable information (PII), which the criminals can sell for money. Intel 471 researchers noticed threat actors had exploited a travel-related database of 40,000 employees in Illinois. The researchers say that this leaked information plays a role in travel-related fraud, allowing a criminal to generate new identities that can be used to cross borders or evade authorities.
Researchers at Intel 471 suggest that customers stay vigilant while making travel arrangements, should book flights from reliable sources, handle payment cautiously, and be on the lookout for any out-of-place offers.
IV. MITRE ATT&CK
- T1566 – Phishing
Adversaries may utilize methods, like phishing, that involve social engineering techniques, such as posing as a trusted source.
- T1555 – Credentials from Password Stores
Adversaries may search common password storage locations to obtain user credentials.
- Phishing Awareness Training
Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
- Set Antivirus Programs to Conduct Regular Scans
Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
- Strong Cyber Hygiene
Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
- Turn on Endpoint Protection
Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
VI. Indicators of Compromise (IOCs)
There are no IOCs for this threat advisory. However, users should remain vigilant of things that don’t seem right, and take the necessary precautions as they browse the Internet.
(1) Intel 471, ed. “Cybercriminals Preying on Travel Surge with a Host of Different Scams.” Intel471, June 15, 2022. https://intel471.com/blog/travel-fraud-cybercrime-ransomware-pii.
(2) Tiwari, Sagar. “Travel-Related Cybercrime Takes Off as Industry Rebounds.” Threatpost English Global, June 15, 2022. https://threatpost.com/travel-related-cybercrime-takes-off/179962/.
Threat Advisory created by the Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Tural Hagverdiyev, Uday Bilakhiya.